Data security breach
Definition A data security breach Overview Data security breaches can take many forms and do not necessarily lead to any consumer injury. There are a variety of activities that may give rise to data security breaches. Breaches can result from intention actions, including hacking,In early 2007, TJX Companies reported unauthorized intrusions into its computer systems that may have led to the disclosure of credit card information and driver’s license numbers on 45.7 million customers. See, e.g., Dan Kaplan, "45.7 Million-Victim TJX Companies Breach Could Lead to Federal Notification Law," SC Mag., Mar. 29, 2007 (full-text). employee theft,See, e.g., Holly K. Towle, "Let’s Play 'Name that Security Violation!'", 11 Cyberspace Law., Apr. 2006, at 11 (full-text). theft of equipment (such as laptop computers''See, e.g.,'' Robert Ellis Smith, "Laptop Hall Of Shame," Forbes.com, Sept. 7, 2006 (full-text). and hard drives),See, e.g., Dan Kaplan, "TSA Loses Hard Drive With Personal Information of 100,000 Employees," SC Mag., May 7, 2007 (full-text). and deception or misrepresentation to obtain unauthorized data.See, e.g., Federal Trade Comm'n, "ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress" (full-text). They can also arise from negligent conduct by the organization that suffered the security breach, including the loss of laptop computers or hard disks,See, e.g., David Hubler, "New House VA Committee Chairman Laments Latest Laptop Loss," FCW.com, Feb. 6, 2007 (full-text); "HP Employees Suffer Data Exposure" (Mar. 23, 2006) (full-text). loss of data tapes,Paul Shread, "Bank's Tape Loss Puts Spotlight on Backup Practices" (Feb. 28, 2005). (full-text). unintentional exposure of data on the Internet,See, e.g., "Data Exposure Response" (Jan. 25, 2007) (full-text). and improper disposal of data.See, e.g., "Debra Black, Rogers Pins Data Dump on Sales Firm," thestar.com, Apr. 9, 2007 (full-text). Security breaches can also arise from an organization’s implementation of software, which the organization reasonably believes to be secure, but which contains vulnerabilities that render it insecure.Michael D. Scott, "Tort Liability for the Vendors of Insecure Software: Has the Time Finally Come?," 67 Md. L. Rev., Issue 2 (2008) (full-text). Major security breaches Major data security breaches have been disclosed by the nation's largest information brokerage firms, retailers, companies, universities, and government agencies.Personal Data Security Breaches: Context and Incident Summaries. From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed.See Tom Zeller, "An Ominous Milestone: 100 Million Data Leaks," N.Y. Times, Dec. 18, 2006, at C3. Massive data security breaches in 2005, 2006, and 2007 heightened interest in the security of personal information;See Kenneth M. Siegel, "Protecting the Most Valuable Corporate Asset: Electronic Data, Identity Theft, Personal Information, and the Role of Data Security in the Information Age," 111 Penn St. L. Rev. 779 (2007); Kamaal Zaidi, "Identity Theft and Consumer Protection: Finding Sensible Approaches to Safeguard Personal Data in the United States and Canada," 19 Loy. Consumer L. Rev. 99 (2007). in the business and regulation of data brokers; in the liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for third party companies' costs arising from data breaches;At least six states have introduced bills designed to strengthen merchant security and/or hold companies liable for third party companies' costs arising from data breaches (California, Connecticut, Illinois, Massachusetts, Minnesota, and Texas). See Timothy P. Tobin, "In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States" (full-text). The Minnesota bill was signed into law on May 21, 2007. 2007 Minn. Laws Ch. 108, H.F. 1758. and in remedies available to individuals whose personal information was accessed without authorization.The criminal liability of persons responsible for unauthorized access to computer systems is discussed in Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws. Ddata security breaches illustrate (1) the risks associated with collecting and disseminating large amounts of electronic personal information, (2) the increased visibility of data security breaches as a result of [consumer notice requirements, and (3) the potential risk of harm or injury to consumers from identity theft crimes (e.g., credit card fraud, check fraud, mortgage fraud, health-care fraud, and the evasion of law enforcement). According to a June 2007 GAO report,Personal Information: Data Breaches Are Frequent, But Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown. there is no clear correlation between data security breaches and identity theft: Information securityInformation security standards are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to personally identifiable information for unauthorized purposes. and breach notificationData breach notification laws require covered entities to provide notice to affected persons (e.g., cardholders, customers) about the occurrence of a data security breach. For further information, see Sean C. Honeywill, "Data Security and Data Breach Notification for Financial Institutions," 10 N.C. Banking Inst. 269 (2006); Lilia Rode, "Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security?," 43 Hous. L. Rev. 1597 (2007); Paul M. Schwartz & Edward J. Janger, "Notification of Database Security Breaches," 105 Mich. L. Rev. 913 (2007); Thomas J. Smedinghoff, "Security Breach Notification — Adapting to the Regulatory Framework," 21 Rev. of Banking & Fin. Servs. 115-24 (Dec. 2005). requirements are imposed on some entities that own, possess, or license sensitive personal information. Congress, the Executive Branch, the states, and the courts continue to confront the problem of data breaches. The Federal Trade Commission (FTC) has enforced consumer protection laws to enjoin and remedy lax information security practices. The President's Identity Theft Task Force reported its final recommendations in April 2007, including the establishment of national standards for entities to safeguard personal data and for notification to consumers of breaches that pose a significant risk of identity theft.The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan. The payment card industry has also issued security standards and reporting requirements for organizations that handle bank cards.The Payment Card Industry (PCI) Data Security Standard (DSS) is an industry regulation developed by VISA, MasterCard, and other bank card distributors. It requires organizations that handle bank cards to conform to security standards and follow certain leveled requirements for testing and reporting. The core of the PCI DSS is a group of principles and accompanying requirements designed to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, monitor and test networks, and maintain an information security policy. The courts are also considering a number of lawsuits filed by consumers and banks based on the Federal Privacy Act and state common law breach of contract and negligence claims. State Attorneys General have also investigated data security breaches. Many states have enacted laws requiring notice of security breaches of personal data and consumer redress. As of January 2007, 35 states enacted data security laws requiring entities to notify persons affected by security breaches and, in some cases, to implement information security programs to protect the security, confidentiality, and integrity of data. Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Michigan, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin. See Nat’l Conf. of State Legislatures, State Security Breach Notification Lawshttp://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm. See also "New Data Security Laws Take Effect in Several States," 75 U.S. Law Week 2388 (Jan. 9, 2007); John P. Hutchins, U.S. Data Breach Notification Law: State by State (2007). Congress and some states also have enacted credit freeze and fraud alert laws.Security freeze laws (also referred to as "credit freeze" laws) are a form of identity theft victim assistance. A security freeze law allows a consumer to block unauthorized third parties from obtaining his or her credit report or score. See Identity Theft Laws: State Penalties and Remedies and Pending Federal Bills. The Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. §§1681-1681x, amended the Fair Credit Reporting Act (FCRA), and added provisions designed to prevent and mitigate identity theft, including a section that enables consumers to place fraud alerts in their credit files. A federal law (the Veterans Affairs Information Security Act of 2006) and federal guidance (2007 Office of Management and Budget memorandum OMB Memorandum M-07-16) were enacted to prevent and respond to federal agency data breaches. They require federal agencies that collect sensitive personal information to implement enhanced information security programs and provide notice to persons affected by data security breaches. Other federal laws, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act, require private sector covered entities to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of personal information. Sample clause References Source * Data Security: Federal and State Laws, at 1. Category:Technology Category:Privacy Category:Internet Category:Legislation Category:Legislation-U.S.-State Category:Legislation-U.S.-Federal Category:Legislation-U.S.-Privacy Category:Definition